AAD app registration not accepting the query string parameter

Question

I have registered the app in Azure AAD with reply urls. Enable id_token and auth token. If i give the exact url as the parameter it works fine. but if I add the query string as a parameter in reply url it is not working and throws error

AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: ''.

Below is my sample URL format generated by ADAL.js file.

https://login.microsoftonline.com/.onmicrosoft.com/oauth2/authorize

?response_type=id_token &client_id=

&redirect_uri=?p1=123&p2=456

&state=62439108-d296-4a0d-91cc-4f6580656e83

&client-request-id=1a5ad90a-26fc-4e60-bbcc-8d58bbbcc1f7

&x-client-SKU=Js &x-client-Ver=1.0.13

&nonce=a4a6215c-0706-4fbc-91a9-36e4cd3a262e

If i remove this ?p1=123&p2=456 query string from the redirect_url, it works fine. The other workaround i see is if i go to legacy app registration and add "" at the end of the url it is working. But the new app registration does not allow "" in the reply_url while registration.

Anyone else also faced the same issue and fixed without adding "*" in the reply_url registration? please let me know.

Answer 1

This is an issue with ADAL.js (and MSAL.js) setting the redirect URI to the current URL by default. You can get around it with an approach like this:

1. Set redirect URI as window.location.origin + "/aad-callback" (or anything else)
2. When requiring login, store current URL in sessionStorage (or local storage or a cookie)
3. Trigger login redirect
4. When your app gets a callback to /aad-callback, handle the tokens from the URL fragment
5. Load the local redirect URL from sessionStorage
6. Redirect user there

I wrote an article related to this but for MSAL.js: https://joonasw.net/view/avoiding-wildcard-reply-urls-with-msal-js. The concepts are the same for ADAL.js.